Skip to content

Latest commit

 

History

History
56 lines (38 loc) · 2.47 KB

README.md

File metadata and controls

56 lines (38 loc) · 2.47 KB

CVE-2024-4295-Poc

CVE-2024-4295 Email Subscribers by Icegram Express <= 5.7.20 - Unauthenticated SQL Injection via hash

Call Stack

ES_DB_Lists_Contacts->edit_subscriber_status (\email-subscribers\lite\includes\db\class-es-db-lists-contacts.php:616)
Email_Subscribers_Public->es_email_subscribe_init (\email-subscribers\lite\public\class-email-subscribers-public.php:178)
WP_Hook->apply_filters (\var\www\html\wp-includes\class-wp-hook.php:324)
WP_Hook->do_action (\var\www\html\wp-includes\class-wp-hook.php:348)
do_action (\var\www\html\wp-includes\plugin.php:517)
require_once (\var\www\html\wp-settings.php:695)
require_once (\var\www\html\wp-config.php:133)
require_once (\var\www\html\wp-load.php:50)
require (\var\www\html\wp-blog-header.php:13)
{main} (\var\www\html\index.php:17)

File: email-subscribers/lite/public/class-email-subscribers-public.php

image

image

File: email-subscribers/lite/includes/db/class-es-db-lists-contacts.php

image

Poc:

  1. Email Subscribe image

  2. Check mail

image

  1. Found link format: /?es=optin&hash={{encode base64}}

Example link:

http://192.168.110.184:8080/?es=optin&hash=eyJtZXNzYWdlX2lkIjowLCJjYW1wYWlnbl9pZCI6MCwiY29udGFjdF9pZCI6IjMiLCJlbWFpbCI6Imt1cDU4MjQzQGlsZWJpLmNvbSIsImd1aWQiOiJiYXNvd3otZnpjYWRqLXN6ZmxycS1qY2ViYWYtdXpxYm12IiwibGlzdF9pZHMiOlsiMiJdLCJhY3Rpb24iOiJzdWJzY3JpYmUifQ==

image

Example hash:

eyJtZXNzYWdlX2lkIjowLCJjYW1wYWlnbl9pZCI6MCwiY29udGFjdF9pZCI6IjMiLCJlbWFpbCI6Imt1cDU4MjQzQGlsZWJpLmNvbSIsImd1aWQiOiJiYXNvd3otZnpjYWRqLXN6ZmxycS1qY2ViYWYtdXpxYm12IiwibGlzdF9pZHMiOlsiMiJdLCJhY3Rpb24iOiJzdWJzY3JpYmUifQ==

Decode base64 value from parameter hash: image

Poc.mp4